2024 Microsoft AZ-305 Exam Updated Dumps

Text Material Preview

AZ-305
Exam Name: Designing Microsoft Azure Infrastructure
Solutions
Full version: 294 Q&As
Full version of AZ-305 Dumps
Share some AZ-305 exam dumps below.
1. You have an on-premises Microsoft SQL server named SQLI that hosts 50 databases.
You plan to migrate SQL 1 to Azure SQL Managed Instance.
You need to perform an offline migration of SQL 1. The solution must minimize administrative
effort.
 1 / 36
https://www.certqueen.com/AZ-305.html
What should you include in the solution?
A. SQL Server Migration Assistant (SSMA)
B. Azure Migrate
C. Data Migration Assistant (DMA)
D. Azure Database Migration Service
Answer: D
Explanation:
This Azure service supports migration in the offline mode for applications that can afford
downtime during the migration process. Unlike the continuous migration in online mode, offline
mode migration runs a one-time restore of a full database backup from the source to the target
https://learn.microsoft.com/en-us/azure/azure-sql/migration-guides/managed-instance/sql-server-
to-managed-instance-overview?view=azuresql#compare-migration-options
2. You have an on-premises Microsoft SQL Server 2008 instance that hosts a 50-GB database.
You need to migrate the database to an Azure SQL managed instance. The solution must
minimize downtime.
What should you use?
A. Azure Migrate
B. WANdisco LiveData Platform for Azure
C. Azure Data Studio
D. SQL Server Management Studio (SSMS)
Answer: C
3. You need to recommend a solution to deploy containers that run an application. The
application has two tiers.
Each tier is implemented as a separate Docker Linux-based image.
The solution must meet the following requirements:
? The front-end tier must be accessible by using a public IP address on port 80.
? The backend tier must be accessible by using port 8080 from the front-end tier only.
? Both containers must be able to access the same Azure file share.
? If a container fails, the application must restart automatically.
? Costs must be minimized.
What should you recommend using to host the application?
A. Azure Kubernetes Service (AKS)
B. Azure Service Fabric
C. Azure Container instances
 2 / 36
D. Azure Container registries
Answer: C
Explanation:
Azure Container Instances enables a layered approach to orchestration, providing all of the
scheduling and management capabilities required to run a single container, while allowing
orchestrator platforms to manage multi-container tasks on top of it.
Because the underlying infrastructure for container instances is managed by Azure, an
orchestrator platform does not need to concern itself with finding an appropriate host machine
on which to run a single container.
Azure Container Instances can schedule both Windows and Linux containers with the same
API.
Orchestration of container instances exclusively
Because they start quickly and bill by the second, an environment based exclusively on Azure
Container Instances offers the fastest way to get started and to deal with highly variable
workloads.
Reference:
https://docs.microsoft.com/en-us/azure/container-instances/container-instances-overview
https://docs.microsoft.com/en-us/azure/container-instances/container-instances-orchestrator-
relationship
4. You deploy two instances of an Azure web app. One instance is in the East US Azure region
and the other instance is in the West US Azure region. The web app uses Azure Blob storage to
deliver large files to end users.
You need to recommend a solution for delivering the files to the users.
The solution must meet the following requirements:
? Ensure that the users receive files from the same region as the web app that they access.
? Ensure that the files only need to be updated once.
? Minimize costs.
What should you include in the recommendation?
A. Azure File Sync
B. Distributed File System (DFS)
C. read-access geo-redundant storage (RA-GRS)
D. geo-redundant storage (GRS)
Answer: C
5. You have an Azure subscription. The subscription has a blob container that contains multiple
 3 / 36
blobs. Ten users in the finance department of your company plan to access the blobs during the
month of April. You need to recommend a solution to enable access to the blobs during the
month of April only.
Which security solution should you include in the recommendation?
A. shared access signatures (SAS)
B. access keys
C. conditional access policies
D. certificates
Answer: A
Explanation:
Reference: https://docs.microsoft.com/en-us/azure/storage/common/storage-sas-overview
This allows for limited-time fine grained access control to resources. So you can generate URL,
specify duration (for month of April) and disseminate URL to 10 team members. On May 1, the
SAS token is automatically invalidated, denying team members continued access.
6. You are designing a message application that will run on an on-premises Ubuntu virtual
machine.
The application will use Azure Storage queues.
You need to recommend a processing solution for the application to interact with the storage
queues.
The solution must meet the following requirements:
? Create and delete queues daily.
? Be scheduled by using a CRON job.
? Upload messages every five minutes.
What should developers use to interact with the queues?
A. Azure CLI
B. AzCopy
C. Azure Data Factory
D. .NET Core
Answer: D
Explanation:
Reference: https://docs.microsoft.com/en-us/azure/storage/queues/storage-tutorial-queues
7. You plan to use an Azure Storage account to store data assets.
You need to recommend a solution that meets the following requirements:
• Supports immutable storage
 4 / 36
• Disables anonymous access to the storage account
• Supports access control list (ACL)-based Azure AD permissions
What should you include in the recommendation?
A. Azure Blob Storage
B. Azure Data Lake Storage
C. Azure NetApp Files
D. Azure Files
Answer: C
8. You need to deploy resources to host a stateless web app in an Azure subscription.
The solution must meet the following requirements:
• Provide access to the full .NET framework.
• Provide redundancy if an Azure region fails.
• Grant administrators access to the operating system to install custom application
dependencies.
Solution: You deploy a web app in an Isolated App Service plan.
Does this meet the goal?
A. Yes
B. No
Answer: B
Explanation:
Instead, you should deploy an Azure virtual machine to two Azure regions, and you create a
Traffic Manager profile.
9. You have an on-premises network and an Azure subscription. The on-premises network has
several branch offices.
A branch office in Toronto contains a virtual machine named VM1 that is configured as a file
server.
Users access the shared files on VM1 from all the offices.
You need to recommend a solution to ensure that the users can access the shares files as
quickly as possible if the Toronto branch office is inaccessible.
What should you include in the recommendation?
A. a Recovery Services vault and Azure Backup
B. an Azure file share and Azure File Sync
C. Azure blob containers and Azure File Sync
D. a Recovery Services vault and Windows Server Backup
 5 / 36
Answer: B
Explanation:
Use Azure File Sync to centralize your organization's file shares in Azure Files, while keeping
the flexibility, performance, and compatibility of an on-premises file server. Azure File Sync
transforms Windows Server into a quick cache of your Azure file share.
You need an Azure file share in the same region that you want to deploy Azure File Sync.
Incorrect Answers:
A: Backups would be a slower solution.
Reference: https://docs.microsoft.com/en-us/azure/storage/files/storage-sync-files-deployment-
guide
10. You have an Azure Functions microservice app named Appl that is hosted in the
Consumption plan.
App1 uses an Azure Queue Storage trigger.
You plan tomigrate App1 to an Azure Kubernetes Service (AKS) cluster.
You need to prepare the AKS cluster to support Appl.
The solution must meet the following requirements:
• Use the same scaling mechanism as the current deployment.
• Support kubenet and Azure Container Netwoking Interface (CNI) networking.
Which two actions should you perform? Each correct answer presents part of the solution.
NOTE: Each correct answer is worth one point.
A. Configure the horizontal pod autoscaler.
B. Install Virtual Kubelet.
C. Configure the AKS cluster autoscaler.
D. Configure the virtual node add-on.
D. Install Kubemetes-based Event Driven Autoscaling (KEDA).
Answer: A, D
11. HOTSPOT
You deploy several Azure SQL Database instances.
You plan to configure the Diagnostics settings on the databases as shown in the following
exhibit.
 6 / 36
Use the drop-down menus to select the answer choice that completes each statement based on
the information presented in the graphic. NOTE: Each correct selection is worth one point.
 7 / 36
Answer:
Explanation:
In the exhibit, the SQLInsights data is configured to be stored in Azure Log Analytics for 90
days. However, the question is asking for the “maximum” amount of time that the data can be
stored which is 730 days.
12. You have SQL Server on an Azure virtual machine. The databases are written to nightly as
part of a batch process.
You need to recommend a disaster recovery solution for the data.
 8 / 36
The solution must meet the following requirements:
? Provide the ability to recover in the event of a regional outage.
? Support a recovery time objective (RTO) of 15 minutes.
? Support a recovery point objective (RPO) of 24 hours.
? Support automated recovery.
? Minimize costs.
What should you include in the recommendation?
A. Azure virtual machine availability sets
B. Azure Disk Backup
C. an Always On availability group
D. Azure Site Recovery
Answer: D
Explanation:
Replication with Azure Site Recover:
RTO is typically less than 15 minutes.
RPO: One hour for application consistency and five minutes for crash consistency.
Reference: https://docs.microsoft.com/en-us/azure/site-recovery/site-recovery-sql
13. Your company currently has an application that is hosted on their on-premises environment.
The application currently connects to two databases in the on-premises environment. The
databases are named whizlabdb1 and whizlabdb2.
You have to move the databases onto Azure. The databases have to support server-side
transactions across both of the databases.
Solution: You decide to deploy the databases to an Azure SQL database-managed instance.
Would this fulfill the requirement?
A. Yes
B. No
Answer: A
14. You plan to deploy an application named App1 that will run on five Azure virtual machines.
Additional virtual machines will be deployed later to run App1.
You need to recommend a solution to meet the following requirements for the virtual machines
that will run App1:
? Ensure that the virtual machines can authenticate to Azure Active Directory (Azure AD) to gain
access to an Azure key vault, Azure Logic Apps instances, and an Azure SQL database.
? Avoid assigning new roles and permissions for Azure services when you deploy additional
 9 / 36
virtual machines.
? Avoid storing secrets and certificates on the virtual machines.
Which type of identity should you include in the recommendation?
A. a service principal that is configured to use a certificate
B. a system-assigned managed identity
C. a service principal that is configured to use a client secret
D. a user-assigned managed identity
Answer: D
Explanation:
Managed identities for Azure resources is a feature of Azure Active Directory.
User-assigned managed identity can be shared. The same user-assigned managed identity can
be associated with more than one Azure resource.
Incorrect Answers:
B: System-assigned managed identity cannot be shared. It can only be associated with a single
Azure resource.
Reference: https://docs.microsoft.com/en-us/azure/active-directory/managed-identities-azure-
resources/overview
15. HOTSPOT
You plan to create an Azure environment that will contain a root management group and 10
child management groups. Each child management group will contain five Azure subscriptions.
You plan to have between 10 and 30 resource groups in each subscription.
You need to design an Azure governance solution.
The solution must meet the following requirements:
• Use Azure Blueprints to control governance across all the subscriptions and resource groups.
• Ensure that Blueprints-based configurations are consistent across all the subscriptions and
resource groups.
• Minimize the number of blueprint definitions and assignments.
What should you include in the solution? To answer, select the appropriate options in the
answer area. NOTE: Each correct selection is worth one point.
 10 / 36
Answer:
Explanation:
16. Your company has the infrastructure shown in the following table.
The on-premises Active Directory domain syncs to Azure Active Directory (Azure AD).
Server1 runs an application named Appl that uses LDAP queries to verify user identities in the
on-premises Active Directory domain.
You plan to migrate Server1 to a virtual machine in Subscription1.
A company security policy states that the virtual machines and services deployed to
Subscription1 must be prevented from accessing the on-premises network.
You need to recommend a solution to ensure that Appl continues to function after the migration.
The solution must meet the security policy.
What should you include in the recommendation?
A. Azure AD Domain Services (Azure AD DS)
B. an Azure VPN gateway
 11 / 36
C. the Active Directory Domain Services role on a virtual machine
D. Azure AD Application Proxy
Answer: A
Explanation:
https://docs.microsoft.com/en-us/azure/active-directory-domain-services/overview
Azure Active Directory Domain Services (Azure AD DS) provides managed domain services
such as domain join, group policy, lightweight directory access protocol (LDAP), and
Kerberos/NTLM authentication
Azure AD Domain Services (Azure AD DS) - This one could work since AAD DS will bring in the
existing accounts from Azure AD which in turn are synchronised from on-premise AD over AD
connect. However, you would probably need to reconfigure the app and update the LDAP
connection
Azure Active Directory (Azure AD) supports LDAP Authentication via Azure AD Domain
Services (AD DS). https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/auth-
ldap
https://docs.microsoft.com/en-us/azure/active-directory-domain-services/synchronization
17. DRAG DROP
You have two app registrations named App1 and App2 in Azure AD. App1 supports role-based
access control (RBAC) and includes a role named Writer.
You need to ensure that when App2 authenticates to access App1, the tokens issued by Azure
AD include the Writer role claim.
Which blade should you use to modify each app registration? To answer, drag the appropriate
blades to the correct app registrations. Each blade may be used once, more than once, or not at
all. You may need to drag the split bar between panes or scroll to view content. NOTE: Each
correct selection is worth one point.
 12 / 36
Answer:
18. You architect a solution that calculates 3D geometry from height-map data.
You have the following requirements:
? Perform calculations in Azure.
? Each node must communicate data to every other node.
? Maximize the number of nodes to calculate multiple scenes as fast as possible.
? Require the least amount of effort to implement.
You need to recommend a solution.
Which two actions should you recommend? Each correct answer presents part of the solution.
NOTE: Each correct selection is worthone point.
A. Create a render farm that uses Azure Batch.
B. Enable parallel file systems on Azure.
C. Enable parallel task execution on compute nodes.
D. Create a render farm that uses virtual machine (VM) scale sets.
E. Create a render farm that uses virtual machines (VMs).
Answer: AC
19. HOTSPOT
You have an Azure Load Balancer named LB1 that balances requests to five Azure virtual
machines.
You need to develop a monitoring solution for LB1.
The solution must generate an alert when any of the following conditions are met:
? A virtual machine is unavailable.
? Connection attempts exceed 50,000 per minute.
Which signal should you include in the solution for each condition? To answer, select the
 13 / 36
appropriate options in the answer area. NOTE: Each correct selection is worth one point.
Answer:
Explanation:
Box 1: Data path availability
Standard Load Balancer continuously exercises the data path from within a region to the load
balancer front end, all the way to the SDN stack that supports your VM. As long as healthy
instances remain, the measurement follows the same path as your application's load-balanced
 14 / 36
traffic. The data path that your customers use is also validated. The measurement is invisible to
your application and does not interfere with other operations.
Note: Load balancer distributes inbound flows that arrive at the load balancer's front end to
backend pool instances. These flows are according to configured load-balancing rules and
health probes. The backend pool instances can be Azure Virtual Machines or instances in a
virtual machine scale set.
Box 2: SYN count
SYN (synchronize) count: Standard Load Balancer does not terminate Transmission Control
Protocol (TCP) connections or interact with TCP or UDP packet flows. Flows and their
handshakes are always between the source and the VM instance. To better troubleshoot your
TCP protocol scenarios, you can make use of SYN packets counters to understand how many
TCP connection attempts are made. The metric reports the number of TCP SYN packets that
were received.
Reference: https://docs.microsoft.com/en-us/azure/load-balancer/load-balancer-standard-
diagnostics
20. Your company has offices in the United States, Europe, Asia, and Australia.
You have an on-premises app named App1 that uses Azure Table storage. Each office hosts a
local instance of App1.
You need to upgrade the storage for App1.
The solution must meet the following requirements:
? Enable simultaneous write operations in multiple Azure regions.
? Ensure that write latency is less than 10 ms.
? Support indexing on all columns.
? Minimize development effort.
Which data platform should you use?
A. Azure SQL Database
B. Azure SQL Managed Instance
C. Azure Cosmos DB
D. Table storage that uses geo-zone-redundant storage (GZRS) replication
Answer: D
Explanation:
Azure Cosmos DB Table API has
? Single-digit millisecond latency for reads and writes, backed with <10-ms latency reads and
<15-ms latency writes at the 99th percentile, at any scale, anywhere in the world.
? Automatic and complete indexing on all properties, no index management.
 15 / 36
? Turnkey global distribution from one to 30+ regions. Support for automatic and manual
failovers at any time, anywhere in the world.
Reference: https://docs.microsoft.com/en-us/azure/cosmos-db/table-support
21. DRAG DROP
You have an on-premises network that uses on IP address space of 172.16.0.0/16
You plan to deploy 25 virtual machines to a new azure subscription.
You identity the following technical requirements.
? All Azure virtual machines must be placed on the same subnet subnet1.
? All the Azure virtual machines must be able to communicate with all on premises severs.
? The servers must be able to communicate between the on-premises network and Azure by
using a site to site VPN.
You need to recommend a subnet design that meets the technical requirements.
What should you include in the recommendation? To answer, drag the appropriate network
addresses to the correct subnet. Each network address may be used once, more than once or
not at all. You may need to drag the split bar between panes or scroll to view content. NOTE:
Each correct selection is worth one point.
Answer:
 16 / 36
22. You are designing a microservices architecture that will support a web application.
The solution must meet the following requirements:
? Allow independent upgrades to each microservice
? Deploy the solution on-premises and to Azure
? Set policies for performing automatic repairs to the microservices
? Support low-latency and hyper-scale operations
You need to recommend a technology.
What should you recommend?
A. Azure Service Fabric
B. Azure Container Service
C. Azure Container Instance
D. Azure Virtual Machine Scale Set
Answer: A
Explanation:
https://docs.microsoft.com/en-us/azure/service-fabric/service-fabric-overview
23. You need to recommend a strategy for migrating the database content of WebApp1 to
Azure.
What should you include in the recommendation?
A. Use Azure Site Recovery to replicate the SQL servers to Azure.
B. Use SQL Server transactional replication.
C. Copy the BACPAC file that contains the Azure SQL database file to Azure Blob storage.
D. Copy the VHD that contains the Azure SQL database files to Azure Blob storage
Answer: D
Explanation:
 17 / 36
Before you upload a Windows virtual machine (VM) from on-premises to Azure, you must
prepare the virtual hard disk (VHD or VHDX).
Scenario: WebApp1 has a web tier that uses Microsoft Internet Information Services (IIS) and a
database tier that runs Microsoft SQL Server 2016. The web tier and the database tier are
deployed to virtual machines that run on Hyper-V.
Reference: https://docs.microsoft.com/en-us/azure/virtual-machines/windows/prepare-for-
upload-vhd-image
24. You plan to deploy an Azure App Service web app that will have multiple instances across
multiple Azure regions.
You need to recommend a load balancing service for the planned deployment.
The solution must meet the following requirements:
? Maintain access to the app in the event of a regional outage.
? Support Azure Web Application Firewall (WAF).
? Support cookie-based affinity.
? Support URL routing.
What should you include in the recommendation?
A. Azure Front Door
B. Azure Load Balancer
C. Azure Traffic Manager
D. Azure Application Gateway
Answer: B
Explanation:
Azure Traffic Manager performs the global load balancing of web traffic across Azure regions,
which have a regional load balancer based on Azure Application Gateway. This combination
gets you the benefits of Traffic Manager many routing rules and Application Gateway’s
capabilities such as WAF, TLS termination, path-based routing, cookie-based session affinity
among others.
Reference: https://docs.microsoft.com/en-us/azure/application-gateway/features
25. HOTSPOT
You have an Azure subscription that contains a virtual network named VNET1 and 10 virtual
machines. The virtual machines are connected to VNET1.
You need to design a solution to manage the virtual machines from the internet.
The solution must meet the following requirements:
• Incoming connections to the virtual machines must be authenticated by using Azure Multi-
 18 / 36
Factor Authentication (MFA) before network connectivity is allowed.
• Incoming connections must use TLS and connect to TCP port 443.
• The solution must support RDP and SSH.
What should you Include In the solution? To answer, select the appropriate options in the
answer area. NOTE: Each correct selection is worth one point.
Answer:
26. HOTSPOT
You have an Azure subscription named Subscription1 that is linked to a hybrid Azure Active
Directory (Azure AD) tenant.
You have an on-premises datacenter that does NOT havea VPN connection to Subscription1.
The datacenter contains a computer named Server1 that has Microsoft SQL Server 2016
installed. Server1 is prevented from accessing the internet.
An Azure logic app named LogicApp1 requires write access to a database on Server1.
You need to recommend a solution to provide LogicApp1 with the ability to access Server1.
What should you recommend deploying on-premises and in Azure? To answer, select the
appropriate options in the answer area. NOTE: Each correct selection is worth one point.
 19 / 36
Answer:
Explanation:
 20 / 36
Box 1: An on-premises data gateway
For logic apps in global, multi-tenant Azure that connect to on-premises SQL Server, you need
to have the on-premises data gateway installed on a local computer and a data gateway
resource that's already created in Azure.
Box 2: A connection gateway resource
Reference: https://docs.microsoft.com/en-us/azure/connectors/connectors-create-api-sqlazure
27. You plan to deploy an Azure SQL database that will store Personally Identifiable Information
(Pll). You need to ensure that only privileged users can view the Pll.
What should you include in the solution?
A. Transparent Data Encryption (TDE)
B. Data Discovery & Classification
C. dynamic data masking
D. role-based access control (RBAC)
Answer: C
28. You plan to automate the deployment of resources to Azure subscriptions.
What is a difference between using Azure Blueprints and Azure Resource Manager (ARM)
templates?
A. ARM templates remain connected to the deployed resources.
B. Only ARM templates can contain policy definitions.
C. Blueprints remain connected to the deployed resources.
D. Only Blueprints can contain policy definitions.
Answer: C
Explanation:
With Azure Blueprints, the relationship between the blueprint definition (what should be
deployed) and the blueprint assignment (what was deployed) is preserved. This connection
supports improved tracking and auditing of deployments. Azure Blueprints can also upgrade
several subscriptions at once that are governed by the same blueprint.
Reference: https://docs.microsoft.com/en-us/answers/questions/26851/how-is-azure-blue-prints-
different-from-resource-m.html
29. HOTSPOT
You plan to develop a new app that will store business critical data.
The app must meet the following requirements:
? Prevent new data from being modified for one year.
 21 / 36
? Minimize read latency.
? Maximize data resiliency.
You need to recommend a storage solution for the app.
What should you recommend? To answer, select the appropriate options in the answer area.
Answer:
Explanation:
Reference:
https://docs.microsoft.com/en-us/azure/storage/common/storage-account-overview
https://docs.microsoft.com/en-us/azure/storage/common/storage-
redundancy?toc=/azure/storage/blobs/toc.json
30. You plan to deploy 10 applications to Azure. The applications will be deployed to two Azure
Kubernetes Service (AKS) clusters. Each cluster will be deployed to a separate Azure region.
The application deployment must meet the following requirements:
• Ensure that the applications remain available if a single AKS cluster fails.
 22 / 36
• Ensure that the connection traffic over the internet is encrypted by using SSL without having
to configure SSL on each container.
Which service should you include in the recommendation?
A. AKS ingress controller
B. Azure Traffic Manager
C. Azure Front Door
D. Azure Load Balancer
Answer: C
Explanation:
"Azure Front Door, which focuses on global load-balancing and site acceleration, and Azure
CDN Standard, which offers static content caching and acceleration. The new Azure Front Door
brings together security with CDN technology for a cloud-based CDN with threat protection and
additional capabilities. "
31. You have an application that is used by 6,000 users to validate their vacation requests. The
application manages its own credential
Users must enter a username and password to access the application. The application does
NOT support identity providers.
You plan to upgrade the application to use single sign-on (SSO) authentication by using an
Azure Active Directory (Azure AD) application registration.
Which SSO method should you use?
A. password-based
B. OpenID Connect
C. header-based
D. SAML
Answer: A
32. HOTSPOT
You have an on-premises Microsoft SQL Server database named SQL1.
You plan to migrate SQL 1 to Azure.
You need to recommend a hosting solution for SQL1.
The solution must meet the following requirements:
• Support the deployment of multiple secondary, read-only replicas.
• Support automatic replication between primary and secondary replicas.
• Support failover between primary and secondary replicas within a 15-minute recovery time
objective (RTO).
 23 / 36
Answer:
33. Note: This question is part of a series of questions that present the same scenario. Each
question in the series contains a unique solution that might meet the stated goals. Some
 24 / 36
question sets might have more than one correct solution, while others might not have a correct
solution.
After you answer a question in this section, you will NOT be able to return to it. As a result,
these questions will not appear in the review screen.
Your company has deployed several virtual machines (VMs) on-premises and to Azure. Azure
ExpressRoute has been deployed and configured for on-premises to Azure connectivity.
Several VMs are exhibiting network connectivity issues.
You need to analyze the network traffic to determine whether packets are being allowed or
denied to the VMs.
Solution: Install and configure the Microsoft Monitoring Agent and the Dependency Agent on all
VMs. Use the Wire Data solution in Azure Monitor to analyze the network traffic.
Does the solution meet the goal?
A. Yes
B. No
Answer: B
Explanation:
Instead use Azure Network Watcher to run IP flow verify to analyze the network traffic.
Note: Wire Data looks at network data at the application level, not down at the TCP transport
layer.
The solution doesn't look at individual ACKs and SYNs.
Reference:
https://docs.microsoft.com/en-us/azure/network-watcher/network-watcher-monitoring-overview
https://docs.microsoft.com/en-us/azure/network-watcher/network-watcher-ip-flow-verify-
overview
34. The subscriptions
Reference: https://docs.microsoft.com/en-us/azure/governance/blueprints/create-blueprint-portal
Assign a blueprint After a blueprint has been published, it can be assigned to a subscription.
Assign the blueprint that you created to one of the subscriptions under your management group
hierarchy. If the blueprint is saved to a subscription, it can only be assigned to that subscription.
35. You plan to store data in Azure Blob storage for many years. The stored data will be
accessed rarely.
You need to ensure that the data in Blob storage is always available for immediate access. The
solution must minimize storage costs.
Which storage tier should you use?
 25 / 36
A. Cool
B. Archive
C. Hot
Answer: A
Explanation:
Azure cool tier is equivalent to the Amazon S3 Infrequent Access (S3-IA) storage in AWS that
provides a low cost high performance storage for infrequently access data.
Note: Azure’s cool storage tier, also known as Azure cool Blob storage, is for infrequently-
accessed data that needs to be stored for a minimum of 30 days. Typical use cases include
backing up data before tiering to archival systems, legal data, media files, system audit
information, datasets used for big data analysis and more.
The storage cost for this Azure cold storage tier is lower than that of hot storage tier. Since it is
expected that the data stored in this tier will be accessed less frequently, the data access
charges are high when compared to hot tier. There areno additional changes required in your
applications as these tiers can be accessed using APIs in the same manner that you access
Azure storage.
Reference: https://cloud.netapp.com/blog/low-cost-storage-options-on-azure
36. You have an Azure Active Directory (Azure AD) tenant named contoso.com that has a
security group named Group'. Group i is configured Tor assigned membership. Group I has 50
members. including 20 guest users.
You need To recommend a solution for evaluating the member ship of Group1.
The solution must meet the following requirements:
• The evaluation must be repeated automatically every three months
• Every member must be able to report whether they need to be in Group1
• Users who report that they do not need to be in Group 1 must be removed from Group1
automatically
• Users who do not report whether they need to be m Group1 must be removed from Group1
automatically.
What should you include in me recommendation?
A. implement Azure AU Identity Protection.
B. Change the Membership type of Group1 to Dynamic User.
C. Implement Azure AD Privileged Identity Management.
D. Create an access review.
Answer: D
Explanation:
 26 / 36
https://docs.microsoft.com/en-us/azure/active-directory/governance/access-reviews-
overview#learn-about-access-reviews
Have reviews recur periodically: You can set up recurring access reviews of users at set
frequencies such as weekly, monthly, quarterly or annually, and the reviewers will be notified at
the start of each review. Reviewers can approve or deny access with a friendly interface and
with the help of smart recommendations.
An administrator creates an access review of Group C with 50 member users and 25 guest
users. Makes it a self-review. 50 licenses for each user as self-reviewers.* https://docs.microsoft
.com/en-us/azure/active-directory/governance/access-reviews-overview#example-license-
scenarios
There are 4 requirements and every single one is only met by access reviews. https://docs.micr
osoft.com/en-us/azure/active-directory/governance/access-reviews-overview#when-should-you-
use-access-reviews
Dynamic User is needed if a user must be automatically granted access on base of its attributes
(department, jobtitle, location, etc.) https://techcommunity.microsoft.com/t5/itops-talk-
blog/dynamic-groups-in-azure-ad-and-microsoft-365/ba-p/2267494
Implementing Azure AD PIM is no solution and absolutely not necessary for access reviews. htt
ps://docs.microsoft.com/en-us/azure/active-directory/governance/access-reviews-
overview#where-do-you-create-reviews
37. HOTSPOT
Your company deploys several Linux and Windows virtual machines (VMs) to Azure. The VMs
are deployed with the Microsoft Dependency Agent and the Microsoft Monitoring Agent installed
by using Azure VM extensions. On-premises connectivity has been enabled by using Azure
ExpressRoute.
You need to design a solution to monitor the VMs.
Which Azure monitoring services should you use? To answer, select the appropriate Azure
monitoring services in the answer area. NOTE: Each correct selection is worth one point.
 27 / 36
Answer:
Explanation:
Box 1: Azure Network Watcher
Traffic Analytics is a cloud-based solution that provides visibility into user and application activity
in cloud networks. Traffic analytics analyzes Network Watcher network security group (NSG)
flow logs to provide insights into traffic flow in your Azure cloud.
With traffic analytics, you can:
? Identify security threats to, and secure your network, with information such as open-ports,
applications attempting internet access, and virtual machines (VM) connecting to rogue
networks.
? Visualize network activity across your Azure subscriptions and identify hot spots.
? Understand traffic flow patterns across Azure regions and the internet to optimize your
network deployment for performance and capacity.
? Pinpoint network misconfigurations leading to failed connections in your network.
 28 / 36
Box 2: Azure Service Map
Service Map automatically discovers application components on Windows and Linux systems
and maps the communication between services. With Service Map, you can view your servers
in the way that you think of them: as interconnected systems that deliver critical services.
Service Map shows connections between servers, processes, inbound and outbound
connection latency, and ports across any TCP-connected architecture, with no configuration
required other than the installation of an agent.
Reference:
https://docs.microsoft.com/en-us/azure/network-watcher/traffic-analytics
https://docs.microsoft.com/en-us/azure/azure-monitor/insights/service-map
38. HOTSPOT
You have an on-premises file server that stores 2 TB of data files.
You plan to move the data files to Azure Blob storage in the Central Europe region.
You need to recommend a storage account type to store the data files and a replication solution
for the storage account.
The solution must meet the following requirements:
? Be available if a single Azure datacenter fails.
? Support storage tiers.
? Minimize cost.
What should you recommend? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
 29 / 36
Answer:
Explanation:
Account Type: StorageV2
Replication solution: Zone-redundant storage (ZRS)
39. HOTSPOT
You have the Free edition of a hybrid Azure Active Directory (Azure AD) tenant. The tenant
uses password hash synchronization.
You need to recommend a solution to meet the following requirements:
? Prevent Active Directory domain user accounts from being locked out as the result of brute
force attacks targeting Azure AD user accounts.
? Block legacy authentication attempts to Azure AD integrated apps.
? Minimize costs.
What should you recommend for each requirement? To answer, select the appropriate options
in the answer area. NOTE: Each correct selection is worth one point.
 30 / 36
Answer:
Explanation:
Box 1: Smart lockout
Smart lockout helps lock out bad actors that try to guess your users' passwords or use brute-
force methods to get in. Smart lockout can recognize sign-ins that come from valid users and
treat them differently than ones of attackers and other unknown sources. Attackers get locked
out, while your users continue to access their accounts and be productive.
Box 2: Conditional access policies
 31 / 36
If your environment is ready to block legacy authentication to improve your tenant's protection,
you can accomplish this goal with Conditional Access.
How can you prevent apps using legacy authentication from accessing your tenant's resources?
The recommendation is to just block them with a Conditional Access policy. If necessary, you
allow only certain users and specific network locations to use apps that are based on legacy
authentication.
Reference:
https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-password-smart-
lockout
https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/block-legacy-
authentication
40. You have data files in Azure Blob Storage.
You plan to transform the files and move them to Azure Data Lake Storage.
You need to transform the data by using mapping data flow.
Which service should you use?
A. Azure Data Box Gateway
B. Azure Databricks
C. Azure Data Factory
D. Azure Storage Sync
Answer: C
Explanation:
You can use Copy Activity in Azure Data Factory to copy data from and to Azure Data Lake
Storage Gen2, and use Data Flow to transform data in Azure Data Lake Storage Gen2.
Reference: https://docs.microsoft.com/en-us/azure/data-factory/connector-azure-data-lake-
storage
41. What should you recommend to meet the monitoring requirements for App2?
A. Microsoft Sentinel
B. Azure Application Insights
C. Container insights
D. VMinsights
Answer: B
42. You have an Azure subscription that contains two applications named App1 and App2.
App1 is a sales processing application. When a transaction in App1 requires shipping, a
 32 / 36
message is added to an Azure Storage account queue, and then App2 listens to the queue for
relevant transactions.
In the future, additional applications will be added that will process some of the shipping
requests based on the specific details of the transactions.
You need to recommend a replacement for the storage account queue to ensure that each
additional application will be able to read the relevant transactions.
What should you recommend?
A. one Azure Service Bus queue
B. one Azure Service Bus topic
C. one Azure Data Factory pipeline
D. multiple storage account queues
Answer: B
Explanation:
A queue allows processing of a message by a single consumer. In contrast to queues, topics
and subscriptions provide a one-to-many form of communication in a publish and subscribe
pattern. It's useful for scaling to large numbers of recipients. Each published message is made
available to each subscription registered with the topic. Publisher sends a message to a topic
and one or more subscribers receive a copy of the message, depending on filter rules set on
these subscriptions.
Reference: https://docs.microsoft.com/en-us/azure/service-bus-messaging/service-bus-queues-
topics-subscriptions
43. Note: This question is part of a series of questions that present the same scenario. Each
question in the series contains a unique solution that might meet the stated goals. Some
question sets might have more than one correct solution, while others might not have a correct
solution.
After you answer a question in this section, you will NOT be able to return to it. As a result,
these questions will not appear in the review screen.
Your company plans to deploy various Azure App Service instances that will use Azure SQL
databases.
The App Service instances will be deployed at the same time as the Azure SQL databases.
The company has a regulatory requirement to deploy the App Service instances only to specific
Azure regions. The resources for the App Service instances must reside in the same region.
You need to recommend a solution to meet the regulatory requirement.
Solution: You recommend using an Azure Policy initiative to enforce the location of resource
groups.
 33 / 36
Does this meet the goal?
A. Yes
B. No
Answer: B
Explanation:
This solution does not meet the goal because an Azure Policy initiative can only enforce the
location of resources, not resource groups. Resource groups are not a resource type that can
be targeted by Azure Policy1. To enforce the location of resource groups, you need to use
Azure Resource Manager templates2 or Azure PowerShell3 to create them in the desired
regions.
Reference:
1: Understand scope in Azure Policy
2: Create resource groups with Azure Resource Manager templates
3: Create resource groups with Azure PowerShell
44. DRAG DROP
You have an on-premises named App 1.
Customers App1 to manage digital images.
You plan to migrate App1 to Azure.
You need to recommend a data storage solution for Appl.
The solution must meet the following image storage requirements:
? Encrypt images at rest.
? Allow files up to 50M
Answer:
 34 / 36
45. HOTSPOT
You have an Azure subscription that contains multiple storage accounts.
You assign Azure Policy definitions to the storage accounts.
You need to recommend a solution to meet the following requirements:
• Trigger on-demand Azure Policy compliance scans.
• Raise Azure Monitor non-compliance alerts by querying logs collected by Log Analytics.
What should you recommend for each requirement? To answer, select the appropriate options
in the answer area. NOTE: Each correct selection is worth one point.
Answer:
 35 / 36
 
More Hot Exams are available.
350-401 ENCOR Exam Dumps
350-801 CLCOR Exam Dumps
200-301 CCNA Exam Dumps
Powered by TCPDF (www.tcpdf.org)
 36 / 36
https://www.certqueen.com/promotion.asp
https://www.certqueen.com/350-401.html
https://www.certqueen.com/350-801.html
https://www.certqueen.com/200-301.html
http://www.tcpdf.org